Uber’s Hack Illustrates New Dangers from DevOps

Posted Date 12/14/17

The Uber hack, in which personal data for 50 million passengers and seven million drivers was lost, is indicative of a new category of cyberthreats arising from the integration of software development and operation. According to an article in Security Boulevard, the hack highlights the fact that the drive to speed up the process of writing and implementing code as fast as possible is compromising security.

Here is the point. The hack was made possible by the fact that a Uber developer shared their AWS logon credentials on GitHub, a software developer platform, where they uploaded some code base. The hackers got hold of the credentials and breached Uber’s network.

The problem, however, is that this unknown Uber developer is by far not the only one sharing logon credentials on GitHub. According to cybersecurity experts, it is more or less standard practice nowadays. As jeremiah Grossman from SentinelOne explains, in today’s software development world, programmers need to take data from various points and bring it all into one spot.

For example, a developer for Uber, which is a very internet-centric business, will need to make sure the code they write authenticates with Amazon, Facebook, Twitter, etc. To do this, the developer has to include authentication keys, or credentials, in the source code. In the words of Grossman, “It’s like leaving your key under the doormat where anybody can easily find it and use it.”

Of course, now that the Uber hack is a fact, chances are that more hackers will try to get their hands on such credentials on GitHub and there are literally thousands and thousands of them there, accessible and vulnerable to abuse. The only way to counter it is to take the slower path, with developers making sure that only certain people will have access to the credentials they share on GitHub.